When menace actors use backdoor malware to realize entry to a community, they need to be sure all their laborious work can’t be leveraged by competing teams or detected by defenders. One countermeasure is to equip the backdoor with a passive agent that continues to be dormant till it receives what’s identified within the enterprise as a “magic packet.” On Thursday, researchers revealed {that a} never-before-seen backdoor that quietly took maintain of dozens of enterprise VPNs operating Juniper Community’s Junos OS has been doing simply that.
J-Magic, the monitoring identify for the backdoor, goes one step additional to stop unauthorized entry. After receiving a magic packet hidden within the regular circulate of TCP visitors, it relays a problem to the system that despatched it. The problem comes within the type of a string of textual content that’s encrypted utilizing the general public portion of an RSA key. The initiating get together should then reply with the corresponding plaintext, proving it has entry to the key key.
Open sesame
The light-weight backdoor can be notable as a result of it resided solely in reminiscence, a trait that makes detection more durable for defenders. The mixture prompted researchers at Lumin Know-how’s Black Lotus Lab to take a seat up and take discover.
“Whereas this isn’t the primary discovery of magic packet malware, there have solely been a handful of campaigns in recent times,” the researchers wrote. “The mixture of concentrating on Junos OS routers that function a VPN gateway and deploying a passive listening in-memory solely agent, makes this an attention-grabbing confluence of tradecraft worthy of additional remark.”
The researchers discovered J-Magic on VirusTotal and decided that it had run contained in the networks of 36 organizations. They nonetheless don’t understand how the backdoor bought put in. Right here’s how the magic packet labored:
The passive agent is deployed to quietly observe all TCP visitors despatched to the system. It discreetly analyzes the incoming packets and watches for one among 5 particular units of information contained in them. The situations are obscure sufficient to mix in with the conventional circulate of visitors that community protection merchandise received’t detect a menace. On the identical time, they’re uncommon sufficient that they’re not more likely to be present in regular visitors.
